Security is one of the most important aspects of any customer’s successful AWS implementation. Customers want to maintain similar security and compliance postures in their AWS environments as they have on-premises. Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

In a VPC there are also security groups that act as a virtual firewall for your instance to control inbound and outbound traffic to the instances within a VPC. Customers can leverage security groups to create isolation of VPCs to separate their different environments, tiers, and applications. However those isolated VPCs need to be able to access other VPCs, the internet, or the customer’s on-premises environment. One AWS-recommended way to accomplish this is with a Transit VPC.

Securing a Transit VPC and its traffic follows a similar to pattern used for securing an on-premises network. One common component of that architecture is the use of a firewall. Firewalls allow customers to monitor network traffic and are complementary to the AWS security features. The firewalls provide the following security services for traffic they are monitoring:

Intrusion Detection System (IDS) / Intrusion Preventions Systems (IPS) is a network security technology originally built for detecting vulnerability exploits against a target application or computer. (IPS) extended IDS solutions by adding the ability to block threats in addition to detecting them and has become the dominant deployment option for IDS/IPS technologies

URL Filtering limits access by comparing web traffic against a database to prevent users from accessing unproductive, harmful sites such as phishing pages.

Malware Detection the use of systems to detect transmission of malware over a network or use of malware on a network

Application Visibility provides visibility into application usage, along with capabilities to understand and control their use.

The Transit DMZ Architecture integrates a firewall into the transit hub of a Transit VPC. Allowing the firewall to monitor and secure traffic between VPCs, to the internet, ingressing and egressing from on-premises.

Transit DMZ Architecture Diagram

On a high level, the Transit VPC from Aviatrix provides a high performance and autoscaled architecture that can support up to 10Gbps per tunnel. It centralizes provisioning and visualization, while avoiding legacy networks protocols in the cloud. Incorporating a firewall into the Aviatrix Transit VPC allows firewalls to monitor and secure the traffic between VPCs, VPC to the internet, and on-premises to the VPCs. Aviatrix’s Cloud-Defined networking enables automated provisioning and management of this complex routing requirement.

This separation of duties gives organizations the agility to make technology decisions across CloudOps, Networking, and Security functions without affecting each other. The firewall functions are independent from the software defined routing components. Thus allowing organizations to implement different security policies and features for different dataflows.

Highly Available Architecture

The Transit DMZ Architecture has DMZ subnets with access to an AWS Internet Gateway (IGW) that allows the firewall and cloud routers to access the internet. As the diagram above shows, from the bottom up, datacenter connectivity into AWS lands in the Transit VPC through an AWS Virtual Gateway (VGW). This VGW is called the “Land-VGW”.

The “Land-VGW” is connected to a pair of firewalls that allows the traffic to and from the datacenter to be inspected and filtered. The firewalls connect to a VGW on the other side (called the “Transit-VGW”) that connects into a pair of Aviatrix Transit Gateways. The Aviatrix Transit Gateways then connect to all the Aviatrix Spoke Gateways in the VPCs.

This connectivity pattern allows for security and monitoring of all the the above mentioned traffic patterns. It also enables high availability and failover if any of the instances were to fail. The firewall is highly available with the multi-instances and using BGP for failover. Aviatrix Gateways are also highly available with a pair of Gateways in the hub and the spokes. Both these components can be across AWS Availability Zones for cross-AZ failover. Since the VGWs that connect to these instances are natively highly-available, you have a Transit DMZ Architecture that does not have a single point of failure.

Now, let’s look at each traffic flow pattern.

On-premises to AWS traffic flow

VPC initiated internet traffic flow

Inspect and filter VPC to VPC traffic

Summary

The Transit DMZ Architecture provides customers with a scalable, customizable pattern to define their cloud security posture in a similar fashion to their on-premises posture. The key benefits of this architecture are:

Threat detection and mediation for traffic between VPCs, to the internet, ingressing and egressing from on-premises.

Highly available and scalable Transit VPC architecture

Separate networking and security functions

Network-as-Code and Security-as-code.

For more information on this architecture and best practices, please reach out to info@aviatrix.com